cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use the output buffer as a temporary buffer to store clamped private scalars

Browse Source 
This might help avoid leaving a copy of the scalar on the stack.

Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
This commit is contained in:
Frank Denis 2017-10-24 17:41:32 +02:00
parent e254a654dc
commit 58fa4172a5
4 changed files with 75 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c
View File

@ -501,29 +501,27 @@ crecip(felem out, const felem z)
/* 2^255 - 21 */ fmul(out, t0, a);
}
static const unsigned char basepoint[32] = { 9 };
static int
crypto_scalarmult_curve25519_donna_c64(unsigned char *mypublic,
const unsigned char *secret,
const unsigned char *basepoint)
crypto_scalarmult_curve25519_donna_c64(unsigned char *q,
const unsigned char *n,
const unsigned char *p)
{
limb bp[5], x[5], z[5], zmone[5];
uint8_t e[32];
int i;
limb bp[5], x[5], z[5], zmone[5];
unsigned char *t = q;
int i;
for (i = 0; i < 32; ++i) {
e[i] = secret[i];
t[i] = n[i];
}
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
fexpand(bp, basepoint);
cmult(x, z, e, bp);
fexpand(bp, p);
cmult(x, z, t, bp);
crecip(zmone, z);
fmul(z, x, zmone);
fcontract(mypublic, z);
fcontract(q, z);
return 0;
}
@ -532,6 +530,8 @@ static int
crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q,
const unsigned char *n)
{
static const unsigned char basepoint[32] = { 9 };
return crypto_scalarmult_curve25519_donna_c64(q, n, basepoint);
}

56
src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
View File

@ -177,25 +177,25 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
const unsigned char *n,
const unsigned char *p)
{
unsigned char e[32];
unsigned int i;
fe x1;
fe x2;
fe z2;
fe x3;
fe z3;
fe tmp0;
fe tmp1;
int pos;
unsigned int swap;
unsigned int b;
unsigned char *t = q;
unsigned int i;
fe x1;
fe x2;
fe z2;
fe x3;
fe z3;
fe tmp0;
fe tmp1;
int pos;
unsigned int swap;
unsigned int b;
for (i = 0; i < 32; ++i) {
e[i] = n[i];
for (i = 0; i < 32; i++) {
t[i] = n[i];
}
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
fe_frombytes(x1, p);
fe_1(x2);
fe_0(z2);
@ -204,7 +204,7 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
swap = 0;
for (pos = 254; pos >= 0; --pos) {
b = e[pos / 8] >> (pos & 7);
b = t[pos / 8] >> (pos & 7);
b &= 1;
swap ^= b;
fe_cswap(x2, x3, swap);
@ -255,18 +255,18 @@ static int
crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
const unsigned char *n)
{
unsigned char e[32];
ge_p3 A;
fe pk;
unsigned int i;
unsigned char *t = q;
ge_p3 A;
fe pk;
unsigned int i;
for (i = 0; i < 32; ++i) {
e[i] = n[i];
for (i = 0; i < 32; i++) {
t[i] = n[i];
}
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
ge_scalarmult_base(&A, e);
t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
ge_scalarmult_base(&A, t);
edwards_to_montgomery(pk, A.Y, A.Z);
fe_tobytes(q, pk);

48
src/libsodium/crypto_scalarmult/curve25519/sandy2x/curve25519_sandy2x.c
View File

@ -25,22 +25,22 @@ static int
crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n,
const unsigned char *p)
{
unsigned char e[32];
unsigned int i;
unsigned char *t = q;
fe var[3];
fe51 x_51;
fe51 z_51;
unsigned int i;
fe var[3];
fe51 x_51;
fe51 z_51;
for (i = 0;i < 32;++i) e[i] = n[i];
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
for (i = 0; i < 32; i++) {
t[i] = n[i];
}
t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
fe_frombytes(x1, p);
ladder(var, e);
ladder(var, t);
z_51.v[0] = (z2[1] << 26) + z2[0];
z_51.v[1] = (z2[3] << 26) + z2[2];
@ -71,20 +71,20 @@ static int
crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q,
const unsigned char *n)
{
unsigned char e[32];
unsigned int i;
unsigned char *t = q;
fe var[3];
fe51 x_51;
fe51 z_51;
unsigned int i;
fe var[3];
for (i = 0;i < 32; i++) {
t[i] = n[i];
}
t[0] &= 248;
t[31] &= 127;
t[31] |= 64;
fe51 x_51;
fe51 z_51;
for (i = 0;i < 32;++i) e[i] = n[i];
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
ladder_base(var, e);
ladder_base(var, t);
z_51.v[0] = (z2[1] << 26) + z2[0];
z_51.v[1] = (z2[3] << 26) + z2[2];

15
src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c
View File

@ -3,6 +3,7 @@
#include "crypto_scalarmult_ed25519.h"
#include "private/curve25519_ref10.h"
#include "utils.h"
static int
_crypto_scalarmult_ed25519_is_inf(const unsigned char s[32])
@ -31,10 +32,10 @@ int
crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
const unsigned char *p)
{
unsigned char t[32];
ge_p3 Q;
ge_p3 P;
unsigned int i;
unsigned char *t = q;
ge_p3 Q;
ge_p3 P;
unsigned int i;
if (ge_is_canonical(p) == 0 || ge_has_small_order(p) != 0 ||
ge_frombytes_negate_vartime(&P, p) != 0 ||
@ -59,9 +60,9 @@ int
crypto_scalarmult_ed25519_base(unsigned char *q,
const unsigned char *n)
{
unsigned char t[32];
ge_p3 Q;
unsigned int i;
unsigned char *t = q;
ge_p3 Q;
unsigned int i;
for (i = 0; i < 32; ++i) {
t[i] = n[i];